@softeria/ms-365-mcp-server 0.91.0 → 0.93.0

package/dist/cli.js

@@ -35,6 +35,9 @@ program.name("ms-365-mcp-server").description("Microsoft 365 MCP Server").versio
 ).option(
   "--public-url <url>",
   "Public base URL (e.g. https://mcp.example.com) used in browser-facing OAuth redirects when running behind a reverse proxy. Server-to-server endpoints (token, register) stay on the request host."
+).option(
+  "--obo",
+  "Enable On-Behalf-Of token exchange in HTTP mode. Exchanges the incoming bearer token for a Graph API token using the OBO flow. Requires MS365_MCP_CLIENT_SECRET."
 ).addOption(
   // DEPRECATED: kept only so existing deployments that set --base-url or
   // MS365_MCP_BASE_URL do not crash at startup. Use --public-url /
@@ -99,6 +102,9 @@ function parseArgs() {
       options.enableDynamicRegistration = true;
     }
   }
+  if (process.env.MS365_MCP_OBO === "true" || process.env.MS365_MCP_OBO === "1") {
+    options.obo = true;
+  }
   if (options.cloud) {
     process.env.MS365_MCP_CLOUD_TYPE = options.cloud;
   }

package/dist/endpoints.json

@@ -521,6 +521,13 @@
     "scopes": ["Files.Read"],
     "llmTip": "Generate a short-lived embeddable preview URL for a file (Office docs, PDFs, images). Body: { page?: number | string, zoom?: number, viewer?: 'onedrive' | 'office' }. Returns getUrl (interactive) and postUrl (form-post). Useful for surfacing inline previews in summary emails or chat messages without needing the recipient to open the file."
   },
+  {
+    "pathPattern": "/drives/{drive-id}/items/{driveItem-id}/thumbnails",
+    "method": "get",
+    "toolName": "list-drive-item-thumbnails",
+    "scopes": ["Files.Read"],
+    "llmTip": "Lists thumbnail sets for a file. Each set contains small (96px), medium (176px), large (800px) thumbnails with url and dimensions. Returns empty for unsupported types (text docs). Use $select=small,medium,large or $expand=small($select=url) to fetch specific sizes. The returned URLs are short-lived — fetch the bytes immediately."
+  },
   {
     "pathPattern": "/drives/{drive-id}/items/{driveItem-id}/permissions",
     "method": "get",

package/dist/generated/client.js

@@ -916,6 +916,27 @@ const microsoft_graph_permissionCollectionResponse = z.object({
   "@odata.nextLink": z.string().nullable(),
   value: z.array(microsoft_graph_permission)
 }).partial().passthrough();
+const microsoft_graph_thumbnail = z.object({
+  content: z.string().describe("The content stream for the thumbnail.").nullish(),
+  height: z.number().gte(-2147483648).lte(2147483647).describe("The height of the thumbnail, in pixels.").nullish(),
+  sourceItemId: z.string().describe(
+    "The unique identifier of the item that provided the thumbnail. This is only available when a folder thumbnail is requested."
+  ).nullish(),
+  url: z.string().describe("The URL used to fetch the thumbnail content.").nullish(),
+  width: z.number().gte(-2147483648).lte(2147483647).describe("The width of the thumbnail, in pixels.").nullish()
+}).passthrough();
+const microsoft_graph_thumbnailSet = z.object({
+  id: z.string().describe("The unique identifier for an entity. Read-only.").optional(),
+  large: microsoft_graph_thumbnail.optional(),
+  medium: microsoft_graph_thumbnail.optional(),
+  small: microsoft_graph_thumbnail.optional(),
+  source: microsoft_graph_thumbnail.optional()
+}).passthrough();
+const microsoft_graph_thumbnailSetCollectionResponse = z.object({
+  "@odata.count": z.number().int().nullable(),
+  "@odata.nextLink": z.string().nullable(),
+  value: z.array(microsoft_graph_thumbnailSet)
+}).partial().passthrough();
 const microsoft_graph_publicationFacet = z.object({
   checkedOutBy: microsoft_graph_identitySet.optional(),
   level: z.string().describe(
@@ -4565,6 +4586,9 @@ const schemas = {
   create_drive_item_preview_Body,
   microsoft_graph_itemPreviewInfo,
   microsoft_graph_permissionCollectionResponse,
+  microsoft_graph_thumbnail,
+  microsoft_graph_thumbnailSet,
+  microsoft_graph_thumbnailSetCollectionResponse,
   microsoft_graph_publicationFacet,
   microsoft_graph_driveItemVersion,
   microsoft_graph_driveItemVersionCollectionResponse,
@@ -5769,6 +5793,56 @@ Items with this property set should be removed from your local state.`,
     ],
     response: z.void()
   },
+  {
+    method: "get",
+    path: "/drives/:driveId/items/:driveItemId/thumbnails",
+    alias: "list-drive-item-thumbnails",
+    description: `Collection of thumbnailSet objects associated with the item. For more information, see getting thumbnails. Read-only. Nullable.`,
+    requestFormat: "json",
+    parameters: [
+      {
+        name: "$top",
+        type: "Query",
+        schema: z.number().int().gte(0).describe("Show only the first n items").optional()
+      },
+      {
+        name: "$skip",
+        type: "Query",
+        schema: z.number().int().gte(0).describe("Skip the first n items").optional()
+      },
+      {
+        name: "$search",
+        type: "Query",
+        schema: z.string().describe("Search items by search phrases").optional()
+      },
+      {
+        name: "$filter",
+        type: "Query",
+        schema: z.string().describe("Filter items by property values").optional()
+      },
+      {
+        name: "$count",
+        type: "Query",
+        schema: z.boolean().describe("Include count of items").optional()
+      },
+      {
+        name: "$orderby",
+        type: "Query",
+        schema: z.array(z.string()).describe("Order items by property values").optional()
+      },
+      {
+        name: "$select",
+        type: "Query",
+        schema: z.array(z.string()).describe("Select properties to be returned").optional()
+      },
+      {
+        name: "$expand",
+        type: "Query",
+        schema: z.array(z.string()).describe("Expand related entities").optional()
+      }
+    ],
+    response: z.void()
+  },
   {
     method: "get",
     path: "/drives/:driveId/items/:driveItemId/versions",

package/dist/obo-client.js

@@ -0,0 +1,42 @@
+import { ConfidentialClientApplication } from "@azure/msal-node";
+import logger from "./logger.js";
+import { getCloudEndpoints } from "./cloud-config.js";
+class OboClient {
+  constructor(secrets) {
+    if (!secrets.clientSecret) {
+      throw new Error(
+        "On-Behalf-Of flow requires MS365_MCP_CLIENT_SECRET to be set (confidential client)."
+      );
+    }
+    const cloudEndpoints = getCloudEndpoints(secrets.cloudType);
+    this.cca = new ConfidentialClientApplication({
+      auth: {
+        clientId: secrets.clientId,
+        clientSecret: secrets.clientSecret,
+        authority: `${cloudEndpoints.authority}/${secrets.tenantId || "common"}`
+      }
+    });
+    const graphBase = cloudEndpoints.graphApi.replace(/\/$/, "");
+    this.graphScopes = [`${graphBase}/.default`];
+  }
+  async exchangeToken(userAssertion) {
+    try {
+      const result = await this.cca.acquireTokenOnBehalfOf({
+        oboAssertion: userAssertion,
+        scopes: this.graphScopes
+      });
+      if (!result?.accessToken) {
+        throw new Error("OBO token exchange returned no access token");
+      }
+      logger.info("OBO token exchange successful");
+      return result.accessToken;
+    } catch (error) {
+      logger.error(`OBO token exchange failed: ${error.message}`);
+      throw error;
+    }
+  }
+}
+var obo_client_default = OboClient;
+export {
+  obo_client_default as default
+};

package/dist/server.js

@@ -19,6 +19,7 @@ import { getSecrets } from "./secrets.js";
 import { getCloudEndpoints } from "./cloud-config.js";
 import { requestContext } from "./request-context.js";
 import crypto from "node:crypto";
+import OboClient from "./obo-client.js";
 function parseHttpOption(httpOption) {
   if (typeof httpOption === "boolean") {
     return { host: void 0, port: 3e3 };
@@ -45,6 +46,7 @@ class MicrosoftGraphServer {
     this.graphClient = null;
     this.server = null;
     this.secrets = null;
+    this.oboClient = null;
   }
   createMcpServer() {
     const server = new McpServer(
@@ -103,6 +105,18 @@ class MicrosoftGraphServer {
     } catch (err) {
       logger.warn(`Failed to detect multi-account mode: ${err.message}`);
     }
+    if (this.options.obo) {
+      if (!this.options.http) {
+        throw new Error("--obo requires --http (On-Behalf-Of flow only works in HTTP mode).");
+      }
+      if (!this.secrets.clientSecret) {
+        throw new Error(
+          "--obo requires MS365_MCP_CLIENT_SECRET to be set (confidential client required for On-Behalf-Of flow)."
+        );
+      }
+      this.oboClient = new OboClient(this.secrets);
+      logger.info("On-Behalf-Of (OBO) flow enabled");
+    }
     const outputFormat = this.options.toon ? "toon" : "json";
     this.graphClient = new GraphClient(this.authManager, this.secrets, outputFormat);
     if (!this.options.http) {
@@ -174,7 +188,7 @@ class MicrosoftGraphServer {
         const protocol = req.secure ? "https" : "http";
         const requestOrigin = `${protocol}://${req.get("host")}`;
         const browserBase = publicBase ?? requestOrigin;
-        const scopes = buildScopesFromEndpoints(this.options.orgMode, this.options.enabledTools);
+        const scopes = this.options.obo ? [`api://${this.secrets.clientId}/access_as_user`] : buildScopesFromEndpoints(this.options.orgMode, this.options.enabledTools);
         res.json({
           resource: `${requestOrigin}/mcp`,
           authorization_servers: [browserBase],
@@ -398,7 +412,11 @@ class MicrosoftGraphServer {
           };
           try {
             if (req.microsoftAuth) {
-              await requestContext.run({ accessToken: req.microsoftAuth.accessToken }, handler);
+              let accessToken = req.microsoftAuth.accessToken;
+              if (this.oboClient) {
+                accessToken = await this.oboClient.exchangeToken(accessToken);
+              }
+              await requestContext.run({ accessToken }, handler);
             } else {
               await handler();
             }
@@ -436,7 +454,11 @@ class MicrosoftGraphServer {
           };
           try {
             if (req.microsoftAuth) {
-              await requestContext.run({ accessToken: req.microsoftAuth.accessToken }, handler);
+              let accessToken = req.microsoftAuth.accessToken;
+              if (this.oboClient) {
+                accessToken = await this.oboClient.exchangeToken(accessToken);
+              }
+              await requestContext.run({ accessToken }, handler);
             } else {
               await handler();
             }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@softeria/ms-365-mcp-server",
-  "version": "0.91.0",
+  "version": "0.93.0",
   "description": " A Model Context Protocol (MCP) server for interacting with Microsoft 365 and Office services through the Graph API",
   "type": "module",
   "main": "dist/index.js",

package/src/endpoints.json

@@ -521,6 +521,13 @@
     "scopes": ["Files.Read"],
     "llmTip": "Generate a short-lived embeddable preview URL for a file (Office docs, PDFs, images). Body: { page?: number | string, zoom?: number, viewer?: 'onedrive' | 'office' }. Returns getUrl (interactive) and postUrl (form-post). Useful for surfacing inline previews in summary emails or chat messages without needing the recipient to open the file."
   },
+  {
+    "pathPattern": "/drives/{drive-id}/items/{driveItem-id}/thumbnails",
+    "method": "get",
+    "toolName": "list-drive-item-thumbnails",
+    "scopes": ["Files.Read"],
+    "llmTip": "Lists thumbnail sets for a file. Each set contains small (96px), medium (176px), large (800px) thumbnails with url and dimensions. Returns empty for unsupported types (text docs). Use $select=small,medium,large or $expand=small($select=url) to fetch specific sizes. The returned URLs are short-lived — fetch the bytes immediately."
+  },
   {
     "pathPattern": "/drives/{drive-id}/items/{driveItem-id}/permissions",
     "method": "get",